I'm using Cloudflare Tunnels for a couple of workloads at my homelab. They are working great. In some instances I cannot protect my applications via the "Access / Application" options that are available, because my iOS app won't allow me to use any auth before connecting to it. Not a big problem. I use a UUID v4 subdomain for these kind of service. But to sleep a little bit better I would like to geo restrict the source IP...
Since I cannot use the "Access / Application" options I tried the "Gateway / Firewall DNS policies", but I don't think they are being used for a Tunnel. Am I right?
You can use the app policies by denying everyone access and then bypassing for a specific country. That way, only that country will reach your app.
But be informed that a UUID subdomain is only security by obscurity, sooner rather than later your domain will get discovered.
Maybe look at using WARP and private endpoints.
Comment 1 on Answer
Problem is that I cannot use the app policies because I have to use some Identity provider besides using other optiones like WARP, country, and so on, right?! I have to enter at least for the first time an email addy. And that's not possible for the iOS app. Or am i misunderstanding something here? Thanks
My response to comment 1
When using a bypass rule, it acts, if the condition fits, as if there is no app policy, so no IdP is needed.
Comment 1.1 on Answer
Thank you so so so much u/MasterofSynapse!!! You made my week. I totally missed to option to toggle between these options.
My response to comment 1.1
Always happy to help :) And yes, the dropdowns are a bit non-obvious at first